Thought the Snowden leaks were just NSA’s problem? Here are six reasons why they might be your problem, too

By John Dickson

Edward_Snowden

Regardless of what side of the Edward Snowden debate you fall upon – whether or not you think he’s a traitor or a patriot who helped shed light on an overreaching government agency – you no doubt understand that Edward Snowden has had a profound impact in Washington amongst policy makers, within the hallways of the intelligence community and most importantly perhaps, upon how business is conducted.  In fact, long after Edward Snowden drifts from the headlines, many will point to him as a turning point in how big organizations handle sensitive data and interact with government agencies. For those in IT leadership roles who wonder what the consequences of the Snowden release are on corporate America, the following ideas represent what I think is likely to play out over the next several months. In the long term, these changes might actually have a more day–to–day impact in the way we conduct business and interact online. In the short term, you will at least be able to answer the question from your CEO or CFO about what might be the impact of Snowden on your organization.

For instance, some of the changes that are likely to play out in Fortune 500 and smaller companies include:

1.  Companies will be more wary to cooperate with governments.   I use the plural word “governments” because this is happening not only with the US Federal Government, but with government at all levels such as local law enforcement and state agencies.   Where some companies strived to cooperate beyond the letter of the law, now the opposite will be the case.  Instead, corporate counsels across the country are more likely to push back more vigorously against requests that appear to be too broad and overreaching and in its place, define these requests in the narrowest terms possible.  That was mostly likely the case with Silicon Valley tech companies prior to the Snowden releases, but will now be more prevalent with the companies that traditionally cooperated more closely with the US government and law enforcement (e.g., telephone companies).  For international companies that operate in multiple countries, this issue may be particularly thorny.

2.   Tighter cooperation between security, privacy and corporate counsel will occur.  In most large companies, departments exist that manage security, privacy, and legal matters within the organization.  In certain instances, companies have formalized the roles of each including elevating the privacy function by hiring or promoting a “Chief Privacy Officer.”   Most of these departments don’t typically work closely together on a day-to-day basis, but that is changing due to the Snowden revelations.Where these disparate corporate functions worked together on a case-by-case and event-driven basis, they will now be forced to coordinate more closely and will be more likely to regularly meet with each other.   In the long-term, these relationships will maintain this close integration because the policy side of these discussions will remain the domain of the privacy and corporate counsel departments, and the means to implement the policies will remain with the security function, the other side of the equation.

3.  Companies will review and update their public privacy statements.   As an outgrowth of the aforementioned tighter cooperation, companies are adjusting their privacy statements so they are more inline with their internal practices. The perception from Snowden – correct or incorrect – is that most corporate privacy statements didn’t accurately reflect a company’s true practices concerning complying with government requests. As a result, the public now thinks that many companies gushed publicly about how they guarded and protected customer data while ,in fact, they were handing over the keys to the kingdom to law enforcement and the NSA. However, I believe that there is a ton of misinformation and surface-level analysis that appeared in the press that is not based on true reality.  In fact, my take is that most companies were NOT falling all over themselves to provide their customer data to NSA. The problem is that the perception is out there and a lot of damage has been done to the customer’s trust factor as a result.  The end product is that I believe public privacy statements will now be more muted and more in-line with internal practices.   I also believe that companies will go on the offensive when announcing their customer privacy protections as well in an attempt to repair these perceptions.

4. CEOs will question why companies keep certain sensitive customer data at all.  I predict that more company leaders – CISOs, CIOs and executive management – will be asking, “Why do we even collect this information in the first place?”  Be prepared! Up to this point, only the most sophisticated scrutinized corporate efforts to collect private customer data.  The norm was truly “the more, the better” and almost always was driven by marketing departments.  That has certainly changed post-Snowden. Going forward, collecting privacy information electronically will more likely infer that a company will provide some modicum of protection.  I remember not too long ago getting asked for my driver’s license number for a trial gym membership. Why? More leaders will ask the same question.

5.  Legislation to cooperate with the US Federal Government on Information Sharing is likely dead. See observation #1 above.  The conventional wisdom in D.C. was that in spite of a poisoned political environment, some type of information sharing legislation would be passed in 2013.  That did not happen, and we can likely thank Mr. Snowden for sowing the seeds of distrust in corporate America that hastened the death of information sharing this past year.  No doubt, everyone took a step back after Snowden and is now looking for a real business justification that makes it worth working with government in this manner.  In the interim, industry cooperation within sectors will continue, via forums such as the Information Sharing and Analysis Centers (ISACs) which are trusted entities established by Critical Infrastructure Key Resource owners and operators that share this information within the sector, with other sectors, and with the government.

6.   International clients will ask American IT companies tougher questions. Without a doubt, American IT companies have been on the defensive with non-US clients since the Snowden releases became public.  For example, the RSA story about its alleged cooperation with NSA is potentially very damaging, from the perspective of RSA’s ability to compete internationally.  In discussions with colleagues involved in the hosting industry, the questions are particularly blunt.   If your company handles sensitive information from international clients, you need to be ready to answer questions about your organization’s cooperation with US law enforcement and government organizations and how that may affect their business, especially cloud providers.  In fact, I’d suggest that you think through these issues now and reach out to your international clients prior to them asking the question.  In addition, I recommend that whatever you communicate truly be in line with your disclosure practices because getting caught a la Snowden could deeply damage any international business for your company in the future.

No one knows how long the Snowden releases will continue to appear in the press.  Aside from headlines that grab attention from time to time, corporate IT leaders would be well-served to look beyond the headlines to identify the long-term impact to their organization.  The range of responses to these Snowden releases will vary from company to company and from industry to industry.  Bottom line though is that your response will be greatly driven by your corporate culture and the risk appetite of your organization.   Issues of international competition should not be taken lightly given the negative reactions American companies are already receiving.   Whether we like it or not, Edward Snowden’s revelations have forever changed the world within which we live.  We think these long-term impacts are likely to play out and one should be prepared to respond to some or all of them.

–John

john _at_ denimgroup.com

@johnbdickson

[Edward Snowden image is the property of Laura Poitras/Praxis Films. Used under the terms of the Creative Commons Attribution 3.0 Unported license.]

About dancornell

Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader. Dan has speaks at such international conferences as RSA, ROOTs in Norway and OWASP AppSec EU.

Leave a reply